Vulnerability scanners or penetration testing software may detect PGP Universal Server as vulnerable against TLS renegotiation attacks as described in:
CVE-2009-3555 - "Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability"
CVE-2011-1473 - "Multiple Vendor SSL/TLS Renegotiation Denial Of Service Vulnerability"
This potential vulnerability is caused by a design flaw in SSL which is also included in the OpenSSL software used in PGP Universal Server.
To resolve this issue, upgrade PGP Universal Server to one of the following versions:
PGP Universal Server 3.2.x
PGP Universal Server 3.0.1 SP1 HF1
PGP Universal Server 2.12 SP4 HF1
To quickly test if your PGP Universal Server may be vulnerable, you can either use OpenSSL:
# openssl s_client -connect keys.domain.tld:443
Although advertised "Secure Renegotiation IS supported" issuing "R" fails on version 3.2.1 as renegotiating was disabled.
Secure Renegotiation IS supported
Protocol : TLSv1
Cipher : RC4-SHA
Key-Arg : None
Krb5 Principal: None
Start Time: 1350997633
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
30577:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
Or refer to the proof of concept exploits listed in the following links:
PGP Universal Server versions prior to 3.2.x (except 3.0.1 SP1 HF1 or 2.12 SP4 HF) may be vulnerable.
PGP Universal Server versions since 3.2.0, PGP Universal version 3.0.1 SP1 HF1 or 2.12 SP4 HF1 are not vulnerable.
For CVE-2009-3555 version OpenSSL 0.9.8k and below might be affected
For CVE-2011-1473 version OpenSSL 0.9.8k and below, version OpenSSL 1.0 or OpenSSL 1.0.2 might be affected
Please note that although PGP Universal Server shows an older OpenSSL version, it will contain all the latest patches as of the time of the release date.
For example on a PGP Universal 3.2.1 MP3 server, the fix for CVE-2009-3555 was applied but it shows an older OpenSSL version which would be vulnerable without the applied patch.
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008